Search results

As you may have heard already, the National Security Agency (NSA) and the Federal Bureau of Investigation (FBI) released a joint... Cloud Security Drovorub’s Ability to Conceal C2 Traffic And Its Implications For Docker Containers Rony Moshkovich 2 min read Rony Moshkovich Short bio about author here Lorem ipsum dolor sit amet consectetur. Vitae donec tincidunt elementum quam laoreet duis sit enim. Duis mattis velit sit leo diam. Tags Share this article 8/15/20 Published As you may have heard already, the National Security Agency (NSA) and the Federal Bureau of Investigation (FBI) released a joint Cybersecurity Advisory about previously undisclosed Russian malware called Drovorub. According to the report, the malware is designed for Linux systems as part of its cyber espionage operations. Drovorub is a Linux malware toolset that consists of an implant coupled with a kernel module rootkit, a file transfer and port forwarding tool, and a Command and Control (C2) server. The name Drovorub originates from the Russian language. It is a complex word that consists of 2 roots (not the full words): “drov” and “rub” . The “o” in between is used to join both roots together. The root “drov” forms a noun “drova” , which translates to “firewood” , or “wood” . The root “rub” /ˈruːb/ forms a verb “rubit” , which translates to “to fell” , or “to chop” . Hence, the original meaning of this word is indeed a “woodcutter” . What the report omits, however, is that apart from the classic interpretation, there is also slang. In the Russian computer slang, the word “drova” is widely used to denote “drivers” . The word “rubit” also has other meanings in Russian. It may mean to kill, to disable, to switch off. In the Russian slang, “rubit” also means to understand something very well, to be professional in a specific field. It resonates with the English word “sharp” – to be able to cut through the problem. Hence, we have 3 possible interpretations of ‘ Drovorub ‘: someone who chops wood – “дроворуб” someone who disables other kernel-mode drivers – “тот, кто отрубает / рубит драйвера” someone who understands kernel-mode drivers very well – “тот, кто (хорошо) рубит в драйверах” Given that Drovorub does not disable other drivers, the last interpretation could be the intended one. In that case, “Drovorub” could be a code name of the project or even someone’s nickname. Let’s put aside the intricacies of the Russian translations and get a closer look into the report. DISCLAIMER Before we dive into some of the Drovorub analysis aspects, we need to make clear that neither FBI nor NSA has shared any hashes or any samples of Drovorub. Without the samples, it’s impossible to conduct a full reverse engineering analysis of the malware. Netfilter Hiding According to the report, the Drovorub-kernel module registers a Netfilter hook. A network packet filter with a Netfilter hook ( NF_INET_LOCAL_IN and NF_INET_LOCAL_OUT ) is a common malware technique. It allows a backdoor to watch passively for certain magic packets or series of packets, to extract C2 traffic. What is interesting though, is that the driver also hooks the kernel’s nf_register_hook() function. The hook handler will register the original Netfilter hook, then un-register it, then re-register the kernel’s own Netfilter hook. According to the nf_register_hook() function in the Netfilter’s source , if two hooks have the same protocol family (e.g., PF_INET ), and the same hook identifier (e.g., NF_IP_INPUT ), the hook execution sequence is determined by priority. The hook list enumerator breaks at the position of an existing hook with a priority number elem->priority higher than the new hook’s priority number reg->priority : int nf_register_hook ( struct nf_hook_ops * reg) { struct nf_hook_ops * elem; int err; err = mutex_lock_interruptible( & nf_hook_mutex); if (err < 0 ) return err; list_for_each_entry(elem, & nf_hooks[reg -> pf][reg -> hooknum], list) { if (reg -> priority < elem -> priority) break ; } list_add_rcu( & reg -> list, elem -> list.prev); mutex_unlock( & nf_hook_mutex); ... return 0 ; } In that case, the new hook is inserted into the list, so that the higher-priority hook’s PREVIOUS link would point into the newly inserted hook. What happens if the new hook’s priority is also the same, such as NF_IP_PRI_FIRST – the maximum hook priority? In that case, the break condition will not be met, the list iterator list_for_each_entry will slide past the existing hook, and the new hook will be inserted after it as if the new hook’s priority was higher. By re-inserting its Netfilter hook in the hook handler of the nf_register_hook() function, the driver makes sure the Drovorub’s Netfilter hook will beat any other registered hook at the same hook number and with the same (maximum) priority. If the intercepted TCP packet does not belong to the hidden TCP connection, or if it’s destined to or originates from another process, hidden by Drovorub’s kernel-mode driver, the hook will return 5 ( NF_STOP ). Doing so will prevent other hooks from being called to process the same packet. Security Implications For Docker Containers Given that Drovorub toolset targets Linux and contains a port forwarding tool to route network traffic to other hosts on the compromised network, it would not be entirely unreasonable to assume that this toolset was detected in a client’s cloud infrastructure. According to Gartner’s prediction , in just two years, more than 75% of global organizations will be running cloud-native containerized applications in production, up from less than 30% today. Would the Drovorub toolset survive, if the client’s cloud infrastructure was running containerized applications? Would that facilitate the attack or would it disrupt it? Would it make the breach stealthier? To answer these questions, we have tested a different malicious toolset, CloudSnooper, reported earlier this year by Sophos. Just like Drovorub, CloudSnooper’s kernel-mode driver also relies on a Netfilter hook ( NF_INET_LOCAL_IN and NF_INET_LOCAL_OUT ) to extract C2 traffic from the intercepted TCP packets. As seen in the FBI/NSA report, the Volatility framework was used to carve the Drovorub kernel module out of the host, running CentOS. In our little lab experiment, let’s also use CentOS host. To build a new Docker container image, let’s construct the following Dockerfile: FROM scratch ADD centos-7.4.1708-docker.tar.xz / ADD rootkit.ko / CMD [“/bin/bash”] The new image, built from scratch, will have the CentOS 7.4 installed. The kernel-mode rootkit will be added to its root directory. Let’s build an image from our Dockerfile, and call it ‘test’: [root@localhost 1]# docker build . -t test Sending build context to Docker daemon 43.6MB Step 1/4 : FROM scratch —> Step 2/4 : ADD centos-7.4.1708-docker.tar.xz / —> 0c3c322f2e28 Step 3/4 : ADD rootkit.ko / —> 5aaa26212769 Step 4/4 : CMD [“/bin/bash”] —> Running in 8e34940342a2 Removing intermediate container 8e34940342a2 —> 575e3875cdab Successfully built 575e3875cdab Successfully tagged test:latest Next, let’s execute our image interactively (with pseudo-TTY and STDIN ): docker run -it test The executed image will be waiting for our commands: [root@8921e4c7d45e /]# Next, let’s try to load the malicious kernel module: [root@8921e4c7d45e /]# insmod rootkit.ko The output of this command is: insmod: ERROR: could not insert module rootkit.ko: Operation not permitted The reason why it failed is that by default, Docker containers are ‘unprivileged’. Loading a kernel module from a docker container requires a special privilege that allows it doing so. Let’s repeat our experiment. This time, let’s execute our image either in a fully privileged mode or by enabling only one capability – a capability to load and unload kernel modules ( SYS_MODULE ). docker run -it –privileged test or docker run -it –cap-add SYS_MODULE test Let’s load our driver again: [root@547451b8bf87 /]# insmod rootkit.ko This time, the command is executed silently. Running lsmod command allows us to enlist the driver and to prove it was loaded just fine. A little magic here is to quit the docker container and then delete its image: docker rmi -f test Next, let’s execute lsmod again, only this time on the host. The output produced by lsmod will confirm the rootkit module is loaded on the host even after the container image is fully unloaded from memory and deleted! Let’s see what ports are open on the host: [root@localhost 1]# netstat -tulpn Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1044/sshd With the SSH server running on port 22 , let’s send a C2 ‘ping’ command to the rootkit over port 22 : [root@localhost 1]# python client.py 127.0.0.1 22 8080 rrootkit-negotiation: hello The ‘hello’ response from the rootkit proves it’s fully operational. The Netfilter hook detects a command concealed in a TCP packet transferred over port 22 , even though the host runs SSH server on port 22 . How was it possible that a rootkit loaded from a docker container ended up loaded on the host? The answer is simple: a docker container is not a virtual machine. Despite the namespace and ‘control groups’ isolation, it still relies on the same kernel as the host. Therefore, a kernel-mode rootkit loaded from inside a Docker container instantly compromises the host, thus allowing the attackers to compromise other containers that reside on the same host. It is true that by default, a Docker container is ‘unprivileged’ and hence, may not load kernel-mode drivers. However, if a host is compromised, or if a trojanized container image detects the presence of the SYS_MODULE capability (as required by many legitimate Docker containers), loading a kernel-mode rootkit on a host from inside a container becomes a trivial task. Detecting the SYS_MODULE capability ( cap_sys_module ) from inside the container: [root@80402f9c2e4c /]# capsh –print Current: = cap_chown, … cap_sys_module, … Conclusion This post is drawing a parallel between the recently reported Drovorub rootkit and CloudSnooper, a rootkit reported earlier this year. Allegedly built by different teams, both of these Linux rootkits have one mechanism in common: a Netfilter hook ( NF_INET_LOCAL_IN and NF_INET_LOCAL_OUT ) and a toolset that enables tunneling of the traffic to other hosts within the same compromised cloud infrastructure. We are still hunting for the hashes and samples of Drovorub. Unfortunately, the YARA rules published by FBI/NSA cause False Positives. For example, the “Rule to detect Drovorub-server, Drovorub-agent, and Drovorub-client binaries based on unique strings and strings indicating statically linked libraries” enlists the following strings: “Poco” “Json” “OpenSSL” “clientid” “—–BEGIN” “—–END” “tunnel” The string “Poco” comes from the POCO C++ Libraries that are used for over 15 years. It is w-a-a-a-a-y too generic, even in combination with other generic strings. As a result, all these strings, along with the ELF header and a file size between 1MB and 10MB, produce a false hit on legitimate ARM libraries, such as a library used for GPS navigation on Android devices: f058ebb581f22882290b27725df94bb302b89504 56c36bfd4bbb1e3084e8e87657f02dbc4ba87755 Nevertheless, based on the information available today, our interest is naturally drawn to the security implications of these Linux rootkits for the Docker containers. Regardless of what security mechanisms may have been compromised, Docker containers contribute an additional attack surface, another opportunity for the attackers to compromise the hosts and other containers within the same organization. The scenario outlined in this post is purely hypothetical. There is no evidence that supports that Drovorub may have affected any containers. However, an increase in volume and sophistication of attacks against Linux-based cloud-native production environments, coupled with the increased proliferation of containers, suggests that such a scenario may, in fact, be plausible. Schedule a demo Related Articles 2025 in review: What innovations and milestones defined AlgoSec’s transformative year in 2025? AlgoSec Reviews Mar 19, 2023 · 2 min read Navigating Compliance in the Cloud AlgoSec Cloud Mar 19, 2023 · 2 min read 5 Multi-Cloud Environments Cloud Security Mar 19, 2023 · 2 min read Speak to one of our experts Speak to one of our experts Work email* First name* Last name* Company* country* Select country... Short answer* By submitting this form, I accept AlgoSec's privacy policy Schedule a call

A recent news article from Bleeping Computer called out an incident involving Japanese game developer Ateam, in which a misconfiguration... Cyber Attacks & Incident Response Mitigating cloud security risks through comprehensive automated solutions Malynnda Littky-Porath 2 min read Malynnda Littky-Porath Short bio about author here Lorem ipsum dolor sit amet consectetur. Vitae donec tincidunt elementum quam laoreet duis sit enim. Duis mattis velit sit leo diam. Tags Share this article 1/8/24 Published A recent news article from Bleeping Computer called out an incident involving Japanese game developer Ateam, in which a misconfiguration in Google Drive led to the potential exposure of sensitive information for nearly one million individuals over a period of six years and eight months. Such incidents highlight the critical importance of securing cloud services to prevent data breaches. This blog post explores how organizations can avoid cloud security risks and ensuring the safety of sensitive information. What caused the Ateam Google Drive misconfiguration? Ateam, a renowned mobile game and content creator, discovered on November 21, 2023, that it had mistakenly set a Google Drive cloud storage instance to “Anyone on the internet with the link can view” since March 2017. This configuration error exposed 1,369 files containing personal information, including full names, email addresses, phone numbers, customer management numbers, and device identification numbers, for approximately 935,779 individuals. Avoiding cloud security risks by using automation To prevent such incidents and enhance cloud security, organizations can leverage tools such as AlgoSec, a comprehensive solution that addresses potential vulnerabilities and misconfigurations. It is important to look for cloud security partners who offer the following key features: Automated configuration checks: AlgoSec conducts automated checks on cloud configurations to identify and rectify any insecure settings. This ensures that sensitive data remains protected and inaccessible to unauthorized individuals. Policy compliance management: AlgoSec assists organizations in adhering to industry regulations and internal security policies by continuously monitoring cloud configurations. This proactive approach reduces the likelihood of accidental exposure of sensitive information. Risk assessment and mitigation: AlgoSec provides real-time risk assessments, allowing organizations to promptly identify and mitigate potential security risks. This proactive stance helps in preventing data breaches and maintaining the integrity of cloud services. Incident response capabilities: In the event of a misconfiguration or security incident, AlgoSec offers robust incident response capabilities. This includes rapid identification, containment, and resolution of security issues to minimize the impact on the organization. The Ateam incident serves as a stark reminder of the importance of securing cloud services to safeguard sensitive data. AlgoSec emerges as a valuable ally in this endeavor, offering automated configuration checks, policy compliance management, risk assessment, and incident response capabilities. By incorporating AlgoSec into their security strategy, organizations can significantly reduce the risk of cloud security incidents and ensure the confidentiality of their data. Request a brief demo to learn more about advanced cloud protection. Schedule a demo Related Articles 2025 in review: What innovations and milestones defined AlgoSec’s transformative year in 2025? AlgoSec Reviews Mar 19, 2023 · 2 min read Navigating Compliance in the Cloud AlgoSec Cloud Mar 19, 2023 · 2 min read 5 Multi-Cloud Environments Cloud Security Mar 19, 2023 · 2 min read Speak to one of our experts Speak to one of our experts Work email* First name* Last name* Company* country* Select country... Short answer* By submitting this form, I accept AlgoSec's privacy policy Schedule a call

Can Firewalls Be Hacked? Yes, Here’s 6 Vulnerabilities Like all security tools, firewalls can be hacked. That’s what happened to the... Cyber Attacks & Incident Response Can Firewalls Be Hacked? Yes, Here’s 6 Vulnerabilities Tsippi Dach 2 min read Tsippi Dach Short bio about author here Lorem ipsum dolor sit amet consectetur. Vitae donec tincidunt elementum quam laoreet duis sit enim. Duis mattis velit sit leo diam. Tags Share this article 12/20/23 Published Can Firewalls Be Hacked? Yes, Here’s 6 Vulnerabilities Like all security tools, firewalls can be hacked. That’s what happened to the social media platform X in January 2023, when it was still Twitter. Hackers exploited an API vulnerability that had been exposed since June the previous year. This gave them access to the platform’s security system and allowed them to leak sensitive information on millions of users. This breach occurred because the organization’s firewalls were not configured to examine API traffic with enough scrutiny. This failure in firewall protection led to the leak of more than 200 million names, email addresses, and usernames, along with other information, putting victims at risk of identity theft . Firewalls are your organization’s first line of defense against malware and data breaches. They inspect all traffic traveling into and out of your network, looking for signs of cyber attacks and blocking malicious activity when they find it. This makes them an important part of every organization’s cybersecurity strategy. Effective firewall management and configuration is vital for preventing cybercrime. Read on to find out how you can protect your organization from attacks that exploit firewall vulnerabilities you may not be aware of. Understanding the 4 Types of Firewalls The first thing every executive and IT leader should know is that there are four basic types of firewalls . Each category offers a different level of protection, with simpler solutions costing less than more advanced ones. Most organizations need to use some combination of these four firewall types to protect sensitive data effectively. Keep in mind that buying more advanced firewalls is not always the answer. Optimal firewall management usually means deploying the right type of firewall for its particular use case. Ideally, these should be implemented alongside multi-layered network security solutions that include network detection and response, endpoint security, and security information and event management (SIEM) technology. 1. Packet Filtering Firewalls These are the oldest and most basic types of firewalls. They operate at the network layer, checking individual data packets for their source IP address and destination IP. They also verify the connection protocol, as well as the source port and destination port against predefined rules. The firewall drops packets that fail to meet these standards, protecting the network from potentially harmful threats. Packet filtering firewalls are among the fastest and cheapest types of firewalls available. Since they can not inspect the contents of data packets, they offer minimal functionality. They also can’t keep track of established connections or enforce rules that rely on knowledge of network connection states. This is why they are considered stateless firewalls. 2. Stateful Inspection Firewalls These firewalls also perform packet inspection, but they ingest more information about the traffic they inspect and compare that information against a list of established connections and network states. Stateful inspection firewalls work by creating a table that contains the IP and port data for traffic sources and destinations, and dynamically check whether data packets are part of a verified active connection. This approach allows stateful inspection firewalls to deny data packets that do not belong to a verified connection. However, the process of checking data packets against the state table consumes system resources and slows down traffic. This makes stateful inspection firewalls vulnerable to Distributed Denial-of-Service (DDoS) attacks. 3. Application Layer Gateways These firewalls operate at the application layer, inspecting and managing traffic based on specific applications or protocols, providing deep packet inspection and content filtering. They are also known as proxy firewalls because they can be implemented at the application layer through a proxy device. In practice, this means that an external client trying to access your system has to send a request to the proxy firewall first. The firewall verifies the authenticity of the request and forwards it to an internal server. They can also work the other way around, providing internal users with access to external resources (like public web pages) without exposing the identity or location of the internal device used. 4. Next-Generation Firewalls (NGFW) Next-generation firewalls combine traditional firewall functions with advanced features such as intrusion prevention, antivirus, and application awareness . They contextualize data packet flows and enrich them with additional data, providing comprehensive security against a wide range of threats. Instead of relying exclusively on IP addresses and port information, NGFWs can perform identity-based monitoring of individual users, applications, and assets. For example, a properly configured NGFW can follow a single user’s network traffic across multiple devices and operating systems, providing an activity timeline even if the user switches between a desktop computer running Microsoft Windows and an Amazon AWS instance controlling routers and iOT devices. How Do These Firewalls Function? Each type of firewall has a unique set of functions that serve to improve the organization’s security posture and prevent hackers from carrying out malicious cyber attacks. Optimizing your firewall fleet means deploying the right type of solution for each particular use case throughout your network. Some of the most valuable functions that firewalls perform include: Traffic Control They regulate incoming and outgoing traffic, ensuring that only legitimate and authorized data flows through the network. This is especially helpful in cases where large volumes of automated traffic can slow down routine operations and disrupt operations. For example, many modern firewalls include rules designed to deny bot traffic. Some non-human traffic is harmless, like the search engine crawlers that determine your website’s ranking against certain keyword searches. However, the vast majority of bot traffic is either unnecessary or malicious. Firewalls can help you keep your infrastructure costs down by filtering out connection attempts from automated sources you don’t trust. Protection Against Cyber Threats Firewalls act as a shield against various cyber threats, including phishing attacks, malware and ransomware attacks . Since they are your first line of defense, any malicious activity that targets your organization will have to bypass your firewall first. Hackers know this, which is why they spend a great deal of time and effort finding ways to bypass firewall protection. They can do this by exploiting technical vulnerabilities in your firewall devices or by hiding their activities in legitimate traffic. For example, many firewalls do not inspect authenticated connections from trusted users. If cybercriminals learn your login credentials and use your authenticated account to conduct an attack, your firewalls may not notice the malicious activity at all. Network Segmentation By defining access rules, firewalls can segment networks into zones with varying levels of trust, limiting lateral movement for attackers. This effectively isolates cybercriminals into the zone they originally infiltrated, and increases the chance they make a mistake and reveal themselves trying to access additional assets throughout your network. Network segmentation is an important aspect of the Zero Trust framework. Firewalls can help reinforce the Zero Trust approach by inspecting traffic traveling between internal networks and dropping connections that fail to authenticate themselves. Security Policy Enforcement Firewalls enforce security policies, ensuring that organizations comply with their security standards and regulatory requirements. Security frameworks like NIST , ISO 27001/27002 , and CIS specify policies and controls that organizations need to implement in order to achieve compliance. Many of these frameworks stipulate firewall controls and features that require organizations to invest in optimizing their deployments. They also include foundational and organizational controls where firewalls play a supporting role, contributing to a stronger multi-layered cybersecurity strategy. Intrusion Detection and Prevention Advanced firewalls include intrusion detection and prevention capabilities, which can identify and block suspicious activities in real-time. This allows security teams to automate their response to some of the high-volume security events that would otherwise drag down performance . Automatically detecting and blocking known exploits frees IT staff to spend more time on high-impact strategic work that can boost the organization’s security posture. Logging and Reporting Firewalls generate logs and reports that assist in security analysis, incident response, and compliance reporting. These logs provide in-depth data on who accessed the organization’s IT assets, and when the connection occurred. They enable security teams to conduct forensic investigations into security incidents, driving security performance and generating valuable insights into the organization’s real-world security risk profile. Organizations that want to implement SIEM technology must also connect their firewall devices to the platform and configure them to send log data to their SIEM for centralized analysis. This gives security teams visibility into the entire organization’s attack surface and enables them to adopt a Zero Trust approach to managing log traffic. Common Vulnerabilities & Weaknesses Firewalls Share Firewalls are crucial for network security, but they are not immune to vulnerabilities. Common weaknesses most firewall solutions share include: Zero-day vulnerabilities These are vulnerabilities in firewall software or hardware that are unknown to the vendor or the general public. Attackers can exploit them before patches or updates are available, making zero-day attacks highly effective. Highly advanced NGFW solutions can protect against zero-day attacks by inspecting behavioral data and using AI-enriched analysis to detect unknown threats. Backdoors Backdoors are secret entry points left by developers or attackers within a firewall’s code. These hidden access points can be exploited to bypass security measures. Security teams must continuously verify their firewall configurations to identify the signs of backdoor attacks. Robust and effective change management solutions help prevent backdoors from remaining hidden. Header manipulation Attackers may manipulate packet headers to trick firewalls into allowing unauthorized traffic or obscuring their malicious intent. There are multiple ways to manipulate the “Host” header in HTTP traffic to execute attacks. Security teams need to configure their firewalls and servers to validate incoming HTTP traffic and limit exposure to header vulnerabilities. How Cyber Criminals Exploit These Vulnerabilities Unauthorized Access Exploiting a vulnerability can allow cybercriminals to penetrate a network firewall, gaining access to sensitive data, proprietary information, or critical systems. Once hackers gain unauthorized access to a network asset, only a well-segmented network operating on Zero Trust principles can reliably force them to reveal themselves. Otherwise, they will probably remain hidden until they launch an active attack. Data Breaches Once inside your network, attackers may exfiltrate sensitive information, including customer data, intellectual property, and financial records (like credit cards), leading to data breaches. These complex security incidents can lead to major business disruptions and reputational damage, as well as enormous recovery costs. Malware Distribution Attackers may use compromised firewalls to distribute malware, ransomware, or malicious payloads to other devices within the network. This type of attack may focus on exploiting your systems and network assets, or it may target networks adjacent to your own – like your third-party vendors, affiliate partners, or customers. Denial of Service (DDoS) Exploited firewalls can be used in DDoS attacks, potentially disrupting network services and rendering them unavailable to users. This leads to expensive downtime and reputational damage. Some hackers try to extort their victims directly, demanding organizations pay money to stop the attack. 6 Techniques Used to Bypass Firewalls 1. Malware and Payload Delivery Attackers use malicious software and payloads to exploit firewall vulnerabilities, allowing them to infiltrate networks or systems undetected. This often occurs due to unpatched security vulnerabilities in popular firewall operating systems. For example, in June 2023 Fortinet addressed a critical-severity FortiOS vulnerability with a security patch. One month later in July, there were still 300,000 Fortinet firewalls still using the unpatched operating system. 2. Phishing Attacks Phishing involves tricking individuals into divulging sensitive information or executing malicious actions. Attackers use deceptive emails or websites that may bypass firewall filters. If they gain access to privileged user account credentials, they may be able to bypass firewall policies entirely, or even reconfigure firewalls themselves. 3. Social Engineering Tactics Cybercriminals manipulate human psychology to deceive individuals into disclosing confidential information, effectively bypassing technical security measures like firewalls. This is typically done through social media, email, or by telephone. Attackers may impersonate authority figures both inside and outside the organization and demand access to sensitive assets without going through the appropriate security checks. 4. Deep Packet Inspection Evasion Attackers employ techniques to disguise malicious traffic, making it appear benign to firewalls using deep packet inspection, allowing it to pass through undetected. Some open-source tools like SymTCP can achieve this by running symbolic executions on the server’s TCP implementation, scanning the resulting execution paths, and sending malicious data through any handling discrepancies identified. 5. VPNs and Remote Access Attackers may use Virtual Private Networks (VPNs) and remote access methods to circumvent firewall restrictions and gain unauthorized entry into networks. This is particularly easy in cases where simple geo restrictions block traffic from IP addresses associated with certain countries or regions. Attackers may also use more sophisticated versions of this technique to access exposed services that don’t require authentication, like certain containerized servers . 6. Intrusion Prevention Systems (IPS) Bypass Sophisticated attackers attempt to evade IPS systems by crafting traffic patterns or attacks that go undetected, enabling them to compromise network security. For example, they may use technologies to decode remote access tool executable files hidden inside certificate files, allowing them to reassemble the malicious file after it passes through the IPS. Protecting Against Firewall Vulnerabilities Multi-factor Authentication (MFA) MFA adds an extra layer of security by requiring users to provide multiple forms of identification, such as a password and a one-time code sent to their mobile device, before they gain access. This prevents attackers from accessing sensitive network assets immediately after stealing privileged login credentials. Knowing an account holder’s password and username is not enough. Two-factor Authentication (2FA) 2FA is a subset of MFA that involves using two authentication factors, typically something the user knows (password) and something the user has (a mobile device or security token), to verify identity and enhance firewall security. Other versions use biometrics like fingerprint scanning to authenticate the user. Intrusion Prevention Systems (IPS) IPS solutions work alongside firewalls to actively monitor network traffic for suspicious activity and known attack patterns, helping to block or mitigate threats before they can breach the network. These systems significantly reduce the amount of manual effort that goes into detecting and blocking known malicious attack techniques. Web Application Firewalls (WAF) WAFs are specialized firewalls designed to protect web applications from a wide range of threats, including SQL injection, cross-site scripting (XSS), and other web-based attacks. Since these firewalls focus specifically on HTTP traffic, they are a type of application level gateway designed specifically for web applications that interact with users on the public internet. Antivirus Software and Anti-malware Tools Deploying up-to-date antivirus and anti-malware software on endpoints, servers, and Wi-Fi network routers helps detect and remove malicious software, reducing the risk of firewall compromise. In order to work effectively, these tools must be configured to detect and mitigate the latest threats alongside the organization’s other security tools and firewalls. Automated solutions can help terminate unauthorized processes before attackers get a chance to deliver malicious payloads. Regular Updates and Patch Management Keeping firewalls and all associated software up-to-date with the latest security patches and firmware updates is essential for addressing known vulnerabilities and ensuring optimal security. Security teams should know when configuration changes are taking place, and be equipped to respond quickly when unauthorized changes take place. Implementing a comprehensive visibility and change management platform like AlgoSec makes this possible. With AlgoSec, you can simulate the effects of network configuration changes and proactively defend against sophisticated threats before attackers have a chance to strike. Monitoring Network Traffic for Anomalies Continuous monitoring of network traffic helps identify unusual patterns or behaviors that may indicate a security incident. Anomalies can trigger alerts for further investigation and response. Network detection and response solutions grant visibility into network activities that would otherwise go unnoticed, potentially giving security personnel early warning when unannounced changes or suspicious behaviors take place. Streamline Your Firewall Security With AlgoSec Organizations continue to face increasingly sophisticated cyber threats, including attacks that capitalize on misconfigured firewalls – or manipulate firewall configurations directly. Firewall management software has become a valuable tool for maintaining a robust network security posture and ensuring regulatory compliance. AlgoSec plays a vital role enhancing firewall security by automating policy analysis, optimizing rule sets, streamlining change management, and providing real-time monitoring and visibility. Find out how to make the most of your firewall deployment and detect unauthorized changes to firewall configurations with our help. Schedule a demo Related Articles 2025 in review: What innovations and milestones defined AlgoSec’s transformative year in 2025? AlgoSec Reviews Mar 19, 2023 · 2 min read Navigating Compliance in the Cloud AlgoSec Cloud Mar 19, 2023 · 2 min read 5 Multi-Cloud Environments Cloud Security Mar 19, 2023 · 2 min read Speak to one of our experts Speak to one of our experts Work email* First name* Last name* Company* country* Select country... Short answer* By submitting this form, I accept AlgoSec's privacy policy Schedule a call

A Decoy Network The strategy behind Sun Tzu’s ‘Art of War’ has been used by the military, sports teams, and pretty much anyone looking... Cyber Attacks & Incident Response How to Use Decoy Deception for Network Protection Matthew Pascucci 2 min read Matthew Pascucci Short bio about author here Lorem ipsum dolor sit amet consectetur. Vitae donec tincidunt elementum quam laoreet duis sit enim. Duis mattis velit sit leo diam. Tags Share this article 6/30/15 Published A Decoy Network The strategy behind Sun Tzu’s ‘Art of War’ has been used by the military, sports teams, and pretty much anyone looking for a strategic edge against their foes. As Sun Tzu says “All warfare is based on deception. Hence, when we are able to attack, we must seem unable; when using our forces, we must appear inactive; when we are near, we must make the enemy believe we are far away; when far away, we must make him believe we are near.” Sun Tzu understood that to gain an advantage on your opponent you need to catch him off guard, make him believe you’re something you’re not, so that you can leverage this opportunity to your advantage. As security practitioners we should all supplement our security practices with this timed and tested decoy technique against cyber attackers. There are a few technologies that can be used as decoys, and two of the most common are honeypots and false decoy accounts: A honeypot is a specially designed piece of software that mimics another system, normally with vulnerable services that aren’t really vulnerable, in order to attract the attention of an attacker as they’re sneaking through your network. Decoy accounts are created in order to check if someone is attempting to log into them. When an attempt is made security experts can then investigate the attackers’ techniques and strategies, without being detected or any data being compromised. Design the right decoy But before actually setting up either of these two techniques you first need to think about how to design the decoy in a way that will be believable. These decoy systems shouldn’t be overtly obvious, yet they need to entice the hacker so that he can’t pass up the opportunity. So think like an attacker: What would an attacker do first when gaining access to a network? How would he exploit a system? Will they install malware? Will they perform a recon scan looking for pivot points? Figuring out what your opponent will do once they’ve gained access to your network is the key to building attractive decoy systems and effective preventive measures. Place it in plain sight You also need to figure out the right place for your decoys. You want to install decoys into your network around areas of high value, as well as systems that are not properly monitored with other security technologies. They should be hiding in plain sight and mimicking the systems or accounts that they’re living next to. This means running similar services, have hostnames that fall in line with your syntax, running on the same operating systems (one exception is decoys running a few exploitable services to entice the attacker). The goes the same for accounts that you’ve seeded in applications or authentication services. We decided that in addition to family photos, it was time to focus on couples photoshoot ! Last fall we aired our popular City Photoshoot Tips & Ideas and as a result, gave you TONS of ideas and inspiration. And last but not least, you need to find a way to discretely publicize your applications or accounts in order to attract the attacker. Then, when an attacker tries to log in to the decoy applications or accounts (which should be disabled) you should immediately and automatically start tracking and investigating the attack path. Watch and learn Another important point to make is that once a breach attempt has been made you shouldn’t immediately cut off the account. You might want to watch the hacker for a period of time to see what else that he might access on the network. Many times tracking their actions over a period of time will give you a lot more actionable information that will ultimately help you create a far more secure perimeter. Think of it as a plainclothes police officer following a known criminal. Many times the police will follow a criminal to see if he will lead them toward more information about their activities before making an arrest. Use the same techniques. If an attacker trips over a few of carefully laid traps, it’s possible that he’s just starting to poke around your network. It’s up to you, while you have the upper hand, to determine if you start remediation or continue to guide them under your watchful eye. Schedule a demo Related Articles 2025 in review: What innovations and milestones defined AlgoSec’s transformative year in 2025? AlgoSec Reviews Mar 19, 2023 · 2 min read Navigating Compliance in the Cloud AlgoSec Cloud Mar 19, 2023 · 2 min read 5 Multi-Cloud Environments Cloud Security Mar 19, 2023 · 2 min read Speak to one of our experts Speak to one of our experts Work email* First name* Last name* Company* country* Select country... Short answer* By submitting this form, I accept AlgoSec's privacy policy Schedule a call

CIS provides best practices to help companies like yours improve their cloud security posture. You’ll protect your systems against... Cloud Security What is CIS Compliance? (and How to Apply CIS Benchmarks) Rony Moshkovich 2 min read Rony Moshkovich Short bio about author here Lorem ipsum dolor sit amet consectetur. Vitae donec tincidunt elementum quam laoreet duis sit enim. Duis mattis velit sit leo diam. Tags Share this article 6/20/23 Published CIS provides best practices to help companies like yours improve their cloud security posture. You’ll protect your systems against various threats by complying with its benchmark standards. This post will walk you through CIS benchmarks, their development, and the kinds of systems they apply to. We will also discuss the significance of CIS compliance and how Prevasio may help you achieve it. What are CIS benchmarks? CIS stands for Center for Internet Security . It’s a nonprofit organization that aims to improve companies’ cybersecurity readiness and response. Founded in 2000, the CIS comprises cybersecurity experts from diverse backgrounds. They have the common goal of enhancing cybersecurity resilience and reducing security threats. CIS compliance means adhering to the Center for Internet Security (CIS) benchmarks. CIS benchmarks are best practices and guidelines to help you build a robust cloud security strategy. These CIS benchmarks give a detailed road map for protecting a business’s IT infrastructure. They also encompass various platforms, such as web servers or cloud bases. The CIS benchmarks are frequently called industry standards. They are normally in line with other regulatory organizations, such as ISO, NIST, and HIPAA. Many firms adhere to CIS benchmarks to ensure they follow industry standards. They also do this to show their dedication to cybersecurity to clients and stakeholders. The CIS benchmarks and CIS controls are always tested through on-premises analysis by leading security firms. This ensures that CIS releases standards that are effective at mitigating cyber risks. How are the CIS benchmarks developed? A community of cybersecurity professionals around the world cooperatively develops CIS benchmarks. They exchange their knowledge, viewpoints, and experiences on a platform provided by CIS. The end result is consensus-based best practices that will protect various IT systems. The CIS benchmark development process typically involves the following steps: 1. Identify the technology: The first step is to identify the system or technology that has to be protected. This encompasses a range of applications. It can be an operating system, database, web server, or cloud environment. 2. Define the scope: The following stage is to specify the benchmark’s parameters. It involves defining what must be implemented for the technology to be successfully protected. They may include precise setups, guidelines, and safeguards. 3. Develop recommendations: Next, a community of cybersecurity experts will identify ideas for safeguarding the technology. These ideas are usually based on current best practices, norms, and guidelines. They may include the minimum security requirements and measures to be taken. 4. Expert consensus review: Thereafter, a broader group of experts and stakeholders assess the ideas. They will offer comments and suggestions for improvement. This level aims to achieve consensus on the appropriate technical safeguards. 5. Pilot testing: The benchmark is then tested in a real-world setting. At this point, CIS aims to determine its efficacy and spot any problems that need fixing. 6. Publication and maintenance: The CIS will publish the benchmark once it has been improved and verified. The benchmark will constantly be evaluated and updated to keep it current and useful for safeguarding IT systems. What are the CIS benchmark levels? CIS benchmarks are divided into three levels based on the complexity of an IT system. It’s up to you to choose the level you need based on the complexity of your IT environment. Each level of the benchmarks offers better security recommendations than the previous level. The following are the distinct categories that benchmarks are divided into: Level 1 This is the most basic level of CIS standards. It requires organizations to set basic security measures to reduce cyber threats. Some CIS guidelines at this level include password rules, system hardening, and risk management. The level 1 CIS benchmarks are ideal for small businesses with basic IT systems. Level 2 This is the intermediate level of the CIS benchmarks. It is suitable for small to medium businesses that have complex IT systems. The Level 2 CIS standards offer greater security recommendations to your cloud platform. It has guidelines for network segmentation, authentication, user permissions, logging, and monitoring. At this level, you’ll know where to focus your remediation efforts if you spot a vulnerability in your system. Level 2 also covers data protection topics like disaster recovery plans and encryption. Level 3 Level 3 is the most advanced level of the CIS benchmarks. It offers the highest security recommendations compared to the other two. Level 3 also offers the Security Technical Implementation Guide (STIG) profiles for companies. STIG are configuration guidelines developed by the Defense Information Systems Agency. These security standards help you meet US government requirements. This level is ideal for large organizations with the most sensitive and vital data. These are companies that must protect their IT systems from complex security threats. It offers guidelines for real-time security analytics, safe cloud environment setups, and enhanced threat detection. What types of systems do CIS benchmarks apply to? The CIS benchmarks are applicable to many IT systems used in a cloud environment. The following are examples of systems that CIS benchmarks can apply to: Operating systems: CIS benchmarks offer standard secure configurations for common operating systems, including Amazon Linux, Windows Servers, macOS, and Unix. They address network security, system hardening, and managing users and accounts. Cloud infrastructure: CIS benchmarks can help protect various cloud infrastructures, including public, private, and multi-cloud. They recommend guidelines that safeguard cloud systems by various cloud service providers. For example, network security, access restrictions, and data protection. The benchmarks cover cloud systems such as Amazon Web Services (AWS), Microsoft Azure, IBM, Oracle, and Google Cloud Platform. Server software: CIS benchmarks provide secure configuration baselines for various servers, including databases (SQL), DNS, Web, and authentication servers. The baselines cover system hardening, patch management, and access restrictions. Desktop software: Desktop apps such as music players, productivity programs, and web browsers can be weak points in your IT system. CIS benchmarks offer guidelines to help you protect your desktop software from vulnerabilities. They may include patch management, user and account management, and program setup. Mobile devices: The CIS benchmarks recommend safeguarding endpoints such as tablets and mobile devices. The standards include measures for data protection, account administration, and device configuration. Network devices: CIS benchmarks also involve network hardware, including switches, routers, and firewalls. Some standards for network devices include access restrictions, network segmentation, logging, and monitoring. Print devices: CIS benchmarks also cover print devices like printers and scanners. The CIS benchmark baselines include access restrictions, data protection, and firmware upgrades. Why is CIS compliance important? CIS compliance helps you maintain secure IT systems. It does this by helping you adhere to globally recognized cybersecurity standards. CIS benchmarks cover various IT systems and product categories, such as cloud infrastructures. So by ensuring CIS benchmark compliance, you reduce the risk of cyber threats to your IT systems. Achieving CIS compliance has several benefits: 1. Your business will meet internationally accepted cybersecurity standards . The CIS standards are developed through a consensus review process. This means they are founded on the most recent threat intelligence and best practices. So you can rely on the standards to build a solid foundation for securing your IT infrastructure. 2. It can help you meet regulatory compliance requirements for other important cybersecurity frameworks . CIS standards can help you prove that you comply with other industry regulations. This is especially true for companies that handle sensitive data or work in regulated sectors. CIS compliance is closely related to other regulatory compliances such as NIST, HIPAA, and PCI DSS. By implementing the CIS standards, you’ll conform to the applicable industry regulations. 3. Achieving CIS continuous compliance can help you lower your exposure to cybersecurity risks . In the process, safeguard your vital data and systems. This aids in preventing data breaches, malware infections, and other cyberattacks. Such incidents could seriously harm your company’s operations, image, and financial situation. A great example is the Scottish Oil giant, SSE. It had to pay €10M in penalties for failing to comply with a CIS standard in 2013. 4. Abiding by the security measures set by CIS guidelines can help you achieve your goals faster as a business. The guidelines cover the most important and frequently attacked areas of IT infrastructure. 5. CIS compliance enhances your general security posture. It also decreases the time and resources needed to maintain security. It does this by providing uniform security procedures across various platforms. How to achieve CIS compliance? Your organization can achieve CIS compliance by conforming to the guidelines of the CIS benchmarks and CIS controls. Each CIS benchmark usually includes a description of a recommended configuration. It also usually contains a justification for the implementation of the configuration. Finally, it offers step-by-step instructions on how to carry out the recommendation manually. While the standards may seem easy to implement manually, they may consume your time and increase the chances of human errors. That is why most security teams prefer using tools to automate achieving and maintaining CIS compliance. CIS hardened images are great examples of CIS compliance automation tools. They are pre-configured images that contain all the necessary recommendations from CIS benchmarks. You can be assured of maintaining compliance by using these CIS hardened images in your cloud environment. You can also use CSPM tools to automate achieving and maintaining CIS compliance. Cloud Security Posture Management tools automatically scan for vulnerabilities in your cloud. They then offer detailed instructions on how to fix those issues effectively. This way, your administrators don’t have to go through the pain of doing manual compliance checks. You save time and effort by working with a CSPM tool. Use Prevasio to monitor CIS compliance. Prevasio is a cloud-native application platform (CNAPP) that can help you achieve and maintain CIS compliance in various setups, including Azure, AWS, and GCP. A CNAPP is basically a CSPM tool on steroids. It combines the features of CSPM, CIEM, IAM, and CWPP tools into one solution. This means you’ll get clearer visibility of your cloud environment from one platform. Prevasio constantly assesses your system against the latest version of CIS benchmarks. It then generates reports showing areas that need adjustments to keep your cloud security cyber threat-proof. This saves you time as you won’t have to do the compliance checks manually. Prevasio also has a robust set of features to help you comply with standards from other regulatory bodies. So using this CSPM tool, you’ll automatically comply with HIPAA, PCI DSS, and GDPR. Prevasio offers strong vulnerability evaluation and management capabilities besides CIS compliance monitoring. It uses cutting-edge scanning algorithms to find known flaws, incorrect setups, and other security problems in IT settings. This can help you identify and fix vulnerabilities before fraudsters can exploit them. The bottom line on CIS compliance Achieving and maintaining CIS compliance is essential in today’s continually changing threat landscape . However, doing the compliance checks manually takes time. You may not also spot weaknesses in your cloud security in time. This means that you need to automate your CIS compliance. And what better solution than a cloud security posture management tool like Prevasio? Prevasio is the ideal option for observing compliance and preventing malware that attack surfaces in cloud assets. Prevasio offers a robust security platform to help you achieve CIS compliance and maintain a secure IT environment. This platform is agentless, meaning it doesn’t run on the cloud like most of its competitors. So you save a lot in costs every time Prevasio runs a scan. Prevaiso also conducts layer analysis. It helps you spot the exact line of code where the problem is rather than give a general area. In the process, saving you time spent identifying and solving critical threats. Try Prevasio today! Schedule a demo Related Articles 2025 in review: What innovations and milestones defined AlgoSec’s transformative year in 2025? AlgoSec Reviews Mar 19, 2023 · 2 min read Navigating Compliance in the Cloud AlgoSec Cloud Mar 19, 2023 · 2 min read 5 Multi-Cloud Environments Cloud Security Mar 19, 2023 · 2 min read Speak to one of our experts Speak to one of our experts Work email* First name* Last name* Company* country* Select country... Short answer* By submitting this form, I accept AlgoSec's privacy policy Schedule a call

As cloud adoption and digital transformation increases, more sensitive data from applications is being stored in data containers. This is... Application Connectivity Management How to Make Container Security Threats More Containable Prof. Avishai Wool 2 min read Prof. Avishai Wool Short bio about author here Lorem ipsum dolor sit amet consectetur. Vitae donec tincidunt elementum quam laoreet duis sit enim. Duis mattis velit sit leo diam. Tags Share this article 9/8/22 Published As cloud adoption and digital transformation increases, more sensitive data from applications is being stored in data containers. This is why effective container security controls to securely manage application connectivity is an absolute must. AlgoSec CTO and Co-Founder, Prof. Avishai Wool provides some useful container security best practices to help you do just that. What is Container Security? Organizations, now more than ever, are adopting container technology. Instead of powering up servers and instances in the cloud, they are using containers to run business applications. Securing these is equally as important as securing other digital assets that the business is dependent on. There are two main pillars to think about: The code: you want to be able to scan the containers and make sure that they are running legitimate code without any vulnerabilities. The network: you need to control access to and from the container (what it can connect to), both inside the same cluster, other clusters, and different parts of the network. How critical is container security to managing application connectivity risks? To understand the role of container security within the overall view of network security, there are three points to consider. First, if you’re only concerned about securing the containers themselves, then you’re looking at nano-segmentation , which involves very granular controls inside the applications. Second, if you’re thinking about a slightly wider scope then you may be more concerned with microsegmentation , where you are segmenting between clusters or between servers in a single environment. Here you will want to enforce security controls that determine the allowable communication between specific endpoints at specific levels. Finally, if the communication needs to go further, from a container inside one cluster within one cloud environment to an asset that’s outside of the data center, then that might need to go through broader segmentation controls such as zoning technologies, security groups or a firewall at the border. So, there are all these layers where you can place network security policies. When you’re looking at a particular connectivity request (say for a new version of an application) from the point of view of a given container you should ask yourself: what is the container connected to? What is it communicating with? Where are those other sides of the connectivity placed? Based on that determination, you will then know which security controls you need to configure to allow that connectivity through the network. How does containerization correlate with application centric security policy management? There are a number of different aspects to the relationship between container security and application security. If an application uses containers to power up workloads then container security is very much an integral part of application security. When you’re adding new functionality to an application, powering up additional containers, asking containers to perform new tasks whereby they need to connect to additional assets, then the connectivity of those containers needs to be secured. And security controls need to be regulated or changed based on what the application needs them to do. Another factor in this relationship is the structure of the application. All the containers that run and support the application are often located in one cluster or a micro-segment of the network. So, much of the communication takes place inside that cluster, between one container or another, all in the same cluster. However, some of it can go to another cluster or somewhere that’s not even containerized. This is actually a good thing from an application point of view as the container structure can be used to understand the application structure as well. Not sure about container orchestration? Here’s what to know Container orchestration is part of a bigger orchestration play which is, in general, related to the concept of infrastructure as code. You want to be able to power up an environment with all the assets it requires, and have it function simultaneously so you can duplicate it. There are various orchestration technologies that can be used to deploy the security policies for containers , which is an excellent way to maintain container-based applications in a consistent and repeatable manner. Then if you need to double it or multiply it by 100, you can get cookie-cutter copies of the same thing. How will container security solutions play out in the future? Organizations today have the technology to enforce security controls at the container level, but these controls are very granular and it’s time-consuming to set policies and enforce them, particularly with issues like staff or skills shortages. Looking ahead, companies are likely to take a hierarchical view where container-based security is controlled at the application level by app owners or developers, and at the broader levels to ensure that the measures deployed throughout the network have the same degree of sophistication. Procedures and tooling are all evolving, so we don’t have a definitive answer as to how this will all end up. What are organizations going to be doing? Where will they place their controls? Who has the power to make the changes? When newer technologies are deployed, customer adoption will be crucial to understanding what makes the most sense. This will be interesting as there will be multiple scenarios to help companies master their security blueprint as we move forward. To learn how the use of containerization as a strategy can help reduce risk and drive application-centric security, check out this video . Schedule a demo Related Articles 2025 in review: What innovations and milestones defined AlgoSec’s transformative year in 2025? AlgoSec Reviews Mar 19, 2023 · 2 min read Navigating Compliance in the Cloud AlgoSec Cloud Mar 19, 2023 · 2 min read 5 Multi-Cloud Environments Cloud Security Mar 19, 2023 · 2 min read Speak to one of our experts Speak to one of our experts Work email* First name* Last name* Company* country* Select country... Short answer* By submitting this form, I accept AlgoSec's privacy policy Schedule a call

Eric Jeffery, AlgoSec’s regional solutions engineer, gives his view on the pivotal role of AppSec network engineers and how they can... Application Connectivity Management How AppSec Network Engineers Can Align Security with the Business Eric Jeffery 2 min read Eric Jeffery Short bio about author here Lorem ipsum dolor sit amet consectetur. Vitae donec tincidunt elementum quam laoreet duis sit enim. Duis mattis velit sit leo diam. Tags Share this article 7/13/22 Published Eric Jeffery, AlgoSec’s regional solutions engineer, gives his view on the pivotal role of AppSec network engineers and how they can positively impact the business It may surprise many people but the number one skills gap hampering today’s application security network engineers is primarily centred around the soft skills which includes communication, writing, presentation, team building and critical thinking. Why is this so important? Because first and foremost, their goal is to manage the organization’s security posture by deploying the best application security tools and technologies for the specific security and growth needs of the business. Keep things safe but don’t get in the way of revenue generation What an application security network engineer should not do is get in the way of developing new business-critical or revenue generating applications. At the same time, they need to understand that they have a leadership role to play in steering a safe and profitable course for the business. Starting with an in depth understanding of all wired traffic, AppSec network engineers need to know what applications are running on the network, how they communicate, who they communicate with and how to secure the traffic and connectivity flow associated with each one of them. An AppSec network engineer’s expertise should extend much more than mastering simple applications such as FTP and SSH. Rather, business traffic continuity should sit at the pinnacle of their responsibilities. There’s a lot of revenue generating traffic that they need to understand and put the right guardrails to protect it. However, equally as important, they need to make sure that the traffic is not hindered by outdated or irrelevant rules and policies, to avoid any negative financial impact on the organization. Layers of expertise beyond the OSI model A good starting point for any AppSec network engineer is to acquire a commanding knowledge of the seven layers of the OSI model, especially Layer 6 which covers Presentation. In practical terms, this means that they should have a thorough understanding of the network and transport layers – knowing what traffic is going across the network and why. It’s also helpful to have basic scripting knowledge and an understanding of simple scripts such as a cron job for scheduling tasks. It could also be useful to know some basic level programming like Perl and PHP. Beyond the network skills, AppSec network engineers should grasp the business vertical in which they operate. Once they gain an understanding of the business DNA and the applications that make it tick, then they can add real value to their organizations. What’s on the network vs. what should be on the network Should AppSec network engineers be expected to understand business and applications? Absolutely. With this level of skill and knowledge, they can help the business progress securely by corelating what is actually in the network environment versus what should be in the environment. Once they have clear understanding, they can clean up then environment and optimize network performance with enhanced security. This becomes more critical as organizations grow and develop, often allowing too much unnecessary traffic into the environment. Typically, this is how the scenario plays out: Applications are added or removed (decommissioned), or a new vendor or solution is brought on board and the firewall turns into a de facto router. The end result of such often leads to new vulnerabilities and too many unnecessary threat vectors. This is precisely where the aforementioned soft skills come in – an AppSec network engineer should be able to call out practices that don’t align with business goals. It’s also incumbent upon organizations to offer soft skills training to help their AppSec network engineers become more valuable to their teams. Need an application view to be effective in securing the business When firewalls become de facto routers, organizations end up relying on other areas for security. However, security needs to be aligned with the applications to prevent cyber attacks from getting onto the network and then from moving laterally across the network, should they manage to bypass the firewalls. All too often, east-west security is inadequate and therefore, AppSec network engineers need to look at network segmentation and application segmentation as part of a holistic network security strategy. The good news is that there are some great new technologies that can help with segmenting an internal network. The lesser good news is that there’s a danger in the thinking that by bolting on new tools, the problem will be solved. So often these tools are only partially deployed before the team moves onto the next “latest and the greatest” solution. When exploring new technologies, AppSec network engineers must ask themselves the following: Is there a matching use case for each solution? Will procurement of another tool lead to securing the environment or will it just be another useless “flavor of the month” tool? Irregardless, once the new technology solution is acquired, it is imperative to align the right skilful people with this technology to enable the organization to intelligently secure the whole environment before moving onto a new tool. To further hone this point, celebrating the introduction of a new firewall is superfluous if at the end of the day, it does not utilize the right rules and policies. Ushering some of these new technologies without proper deployment will only leave gaping holes and give organizations a false sense of security, exposing them to continuous risks. Don’t put the cloud native cart before the horse The role of an AppSec network engineer becomes even more critical when moving to the cloud. It starts with asking probing questions: What are the applications in the business and why are we moving them to the cloud? Is it for scalability, speed of access or to update a legacy system? Will the business benefit from the investment and the potential performance impact? It’s also important to consider the architecture in the cloud: Is it containerized, public cloud, private cloud or hybrid? Once you get definitive answers to these questions, create reference architectures and get senior level buy-in. Finally, think about the order in which the enterprise migrates applications to the cloud and maybe start with some non-critical applications that only affect a small number of locations or people before risking moving critical revenue generating applications. Don’t put the cart before the horse. DevSecOps: We should be working together; you can be sure the criminals are… Network application security is complicated enough without introducing internal squabbles over resources or sacrificing security for speed. Security teams and development teams need to work together and focus on what is best for your business. Again, this where the soft skills like teamwork, communications and project management come into play. The bottom line is this: Understand bad actors and prepare for the worst. The bad guys are just chomping at the bit, waiting for your organizations to make the next mistake. To beat them, DevSecOps teams must leverage all the resources they have available. Future promise or false sense of security? There are some exciting new technologies to look forward to in the horizon to help secure the application environment. Areas like quantum computing, machine learning, AI and blockchain show great promise in outfoxing the cyber criminals in the healthcare and financial services industries. It is expected that the AppSec network engineer will play a vital role in the viability of these new technologies. Yet, the right technology will still need to be applied to the right use case correctly and then fully deployed to in order see any effective results. The takeaway So much of the role of the AppSec network engineer is about taking a cold hard look at the goals of the business and asking some challenging questions. It all starts with “what’s right for the business?” rather than “what’s the latest technology we can get our hands on?” To be an effective AppSec network engineer, individuals should not only know the corporate network inside out, but they also must have an overall grasp of applications and the applicable business cases they support. Furthermore, collaboration with developers and operations (DevOps) becomes an agent for rapid deployment of revenue generating or mission critical applications. But it still goes back to the soft skills. To protect the business from taking needless security risks and demand a seat at the decision-making table, AppSec network engineers need to apply strong leadership, project management and communications skills To learn more on the importance of AppSec network engineers to your organization’s cybersecurity team, watch the following video Schedule a demo Related Articles 2025 in review: What innovations and milestones defined AlgoSec’s transformative year in 2025? AlgoSec Reviews Mar 19, 2023 · 2 min read Navigating Compliance in the Cloud AlgoSec Cloud Mar 19, 2023 · 2 min read 5 Multi-Cloud Environments Cloud Security Mar 19, 2023 · 2 min read Speak to one of our experts Speak to one of our experts Work email* First name* Last name* Company* country* Select country... Short answer* By submitting this form, I accept AlgoSec's privacy policy Schedule a call

In today’s dynamic digital landscape, the security of hybrid networks has taken center stage. As organizations increasingly adopt cloud... Hybrid Cloud Security Management Hybrid network security: Azure Firewall and AlgoSec solutions Joseph Hallman 2 min read Joseph Hallman Short bio about author here Lorem ipsum dolor sit amet consectetur. Vitae donec tincidunt elementum quam laoreet duis sit enim. Duis mattis velit sit leo diam. Tags Share this article 10/30/23 Published In today’s dynamic digital landscape, the security of hybrid networks has taken center stage. As organizations increasingly adopt cloud solutions, like Azure, the complexities of securing hybrid networks have grown significantly. In this blog post, we’ll provide an overview of the key products and solutions presented in the recent webinar with Microsoft, highlighting how they address these challenges. Azure Firewall: Key features Azure Firewall, a cloud-native firewall offers robust features and benefits. It boasts high availability, auto-scalability, and requires minimal maintenance. Key capabilities include: Filtering and securing both network and application traffic. Support for source NAT and destination NAT configurations. Built-in threat intelligence to identify and block suspicious traffic. Three SKUs catering to different customer needs, with the Premium SKU offering advanced security features. Premium features encompass deep packet inspection, intrusion detection and prevention, web content filtering, and filtering based on web categories. Azure Firewall seamlessly integrates with other Azure services like DDoS protection, API gateway, private endpoints, and Sentinel for security correlation and alerting. AlgoSec: Simplifying hybrid network security AlgoSec specializes in simplifying hybrid network security. Their solutions address challenges such as managing multiple applications across multiple cloud platforms. AlgoSec’s offerings include: Visibility into application connectivity. Risk assessment across hybrid environments. Intelligent automation for efficient and secure network changes. CloudFlow: Managing cloud security policies AlgoSec Cloud, a SaaS solution, centralizes the management of security policies across various cloud platforms. Key features include: A security rating system to identify high-risk Risk assessment for assets Identification of unused rules Detailed policy visibility A powerful traffic simulation query tool to analyze traffic routes and rule effectiveness. Risk-aware change automation to identify potential risks associated with network changes. Integration with Azure Cloudflow seamlessly integrates with Azure, extending support to Azure Firewall and network security groups. It enables in-depth analysis of security risks and policies within Azure subscriptions. AlgoSec’s recent acquisition of Prevasio promises synergistic capabilities, enhancing security and compliance features. Conclusion In the ever-evolving landscape of hybrid networks, Azure Firewall and AlgoSec Cloudflow are powerful allies. Azure Firewall provides robust security for Azure customers, while Cloudflow offers a comprehensive approach to managing security policies across diverse cloud platforms. These solutions empower organizations to master hybrid network security, ensuring the security and efficiency of their applications and services. Resources- View the on-demand webinar here – Understanding your hybrid network security- with AlgoSec and Microsoft Azure.mp4 – AlgoSec Schedule a demo Related Articles 2025 in review: What innovations and milestones defined AlgoSec’s transformative year in 2025? AlgoSec Reviews Mar 19, 2023 · 2 min read Navigating Compliance in the Cloud AlgoSec Cloud Mar 19, 2023 · 2 min read 5 Multi-Cloud Environments Cloud Security Mar 19, 2023 · 2 min read Speak to one of our experts Speak to one of our experts Work email* First name* Last name* Company* country* Select country... Short answer* By submitting this form, I accept AlgoSec's privacy policy Schedule a call

As per Cloudwards , a new organization gets hit by ransomware every 14 seconds. This is despite the fact that global cybersecurity... Cyber Attacks & Incident Response How to improve network security (7 fundamental ways) Tsippi Dach 2 min read Tsippi Dach Short bio about author here Lorem ipsum dolor sit amet consectetur. Vitae donec tincidunt elementum quam laoreet duis sit enim. Duis mattis velit sit leo diam. Tags Share this article 8/9/23 Published As per Cloudwards , a new organization gets hit by ransomware every 14 seconds. This is despite the fact that global cybersecurity spending is up and is around $150 billion per year. That’s why fortifying your organization’s network security is the need of the hour. Learn how companies are proactively improving their network security with these best practices. 7 Ways to improve network security: ` 1. Change the way you measure cyber security risk Cyber threats have evolved with modern cybersecurity measures. Thus, legacy techniques to protect the network are not going to work. These techniques include measures like maturity assessment, compliance attestation, and vulnerability aging reports, among other things. While they still have a place in cybersecurity, they’re insufficient. To level up, you need greater visibility over the various risk levels. This visibility will allow you to deploy resources as per need. At the bare minimum, companies need a dashboard that lists real-time data on the number of applications, the region they’re used in, the size and nature of the database, the velocity of M&A, etc. IT teams can make better decisions since the impact of new technologies like big data and AI falls unevenly on organizations. Along with visibility, companies need transparency and precision on how the tools behave against cyberattacks. You can use the ATT&CK Framework developed by MITRE Corporation, the most trustworthy threat behavior knowledge base available today. Use it as a benchmark to test the tools’ efficiency. Measuring the tools this way helps you prepare well in advance. Another measurement technique you must adopt is measuring performance against low-probability, high-consequence attacks. Pick the events that you conclude have the least chance of occurring. Then, test the tools on such attacks. Maersk learned this the hard way. In the notPetya incident , the company came pretty close to losing all of its IT data. Imagine the consequence it’d have on the company that handles the world’s supply chain. Measuring is the only way to learn whether your current cybersecurity arrangements meet the need. 2. Use VLAN and subnets An old saying goes, ‘Don’t keep all your eggs in the same basket.’ Doing so would mean losing the basket, losing all your eggs. That is true for IT networks as well. Instead of treating your network as a whole, divide it into multiple subnetworks. There are various ways you can do that: VLAN or Virtual LAN is one of them. VLAN helps you segment a physical network without investing in additional servers or devices. The different segments can then be handled differently as per the need. For example, the accounting department will have a separate segment, and so will the marketing and sales departments. This segmentation helps enhance security and limit damage. VLAN also helps you prioritize data, networks, and devices. There will be some data that is more critical than others. The more critical data warrant better security and protection, which you can provide through a VLAN partition. Subnets are another way to segment networks. As opposed to VLAN, which separates the network at the switch level, subnets partition the network at IP level or level 3. The various subnetworks can then communicate with each other and third-party networks over IP. With the adoption of technologies like the Internet of Things (IoT), network segmentation is only going to get more critical. Each device used for data generation, like smartwatches, sensors, and cameras, can act as an entry point to your network. If the entry points are connected to sensitive data like consumers’ credit cards, it’s a recipe for disaster. You can implement VLAN or subnets in such a scenario. 3. Use NGFWs for cloud The firewall policy is at the core of cybersecurity. They’re essentially the guardians who check for intruders before letting the traffic inside the network. But with the growth of cloud technologies and the critical data they hold, traditional firewalls are no longer reliable. They can easily be passed by modern malware. You must install NGFWs or Next Generation Firewalls in your cloud to ensure total protection. These firewalls are designed specifically to counter modern cyberattacks. An NGFW builds on the capabilities of a traditional firewall. Thus, it inspects all the incoming traffic. But in addition, it has advanced capabilities like IPS (intrusion prevention system), NAT (network address translation), SPI (stateful protocol inspection), threat intelligence feeds, container protection, and SSL decryption, among others. NGFWs are also both user and application-aware. This allows them to provide context on the incoming traffic. NGFWs are important not only for cloud networks but also for hybrid networks . Malware from the cloud could easily transition into physical servers, posing a threat to the entire network. When selecting a next-gen firewall for your cloud, consider the following security features: The speed at which the firewall detects threats. Ideally, it should identify the attacks in seconds and detect data breaches within minutes. The number of deployment options available. The NGFW should be deployable on any premise, be it a physical, cloud, or virtual environment. Also, it should support different throughput speeds. The home network visibility it offers. It should report on the applications and websites, location, and users. In addition, it should show threats across the separate network in real-time. The detection capabilities. It goes without saying, but the next-gen firewall management should detect novel malware quickly and act as an anti-virus. Other functionalities that are core security requirements. Every business is different with its unique set of needs. The NGFW should fulfill all the needs. 4. Review and keep IAM updated To a great extent, who can access what determines the security level of a network. As a best practice, you should grant access to users as per their roles and requirement — nothing less, nothing more. In addition, it’s necessary to keep IAM updated as the role of users evolves. IAM is a cloud service that controls unauthorized access for users. The policies defined in this service either grant or reject resource access. You need to make sure the policies are robust. This requires you to review your IT infrastructure, the posture, and the users at the organization. Then create IAM policies and grant access as per the requirement. As already mentioned, users should have remote access to the resources they need. Take that as a rule. Along with that, uphold these important IAM principles to improve access control and overall network security strategy: Zero in on the identity It’s important to identify and verify the identity of every user trying to access the network. You can do that by centralizing security control on both user and service IDs. Adopt zero-trust Trust no one. That should be the motto when handling a company’s network security. It’s a good practice to assume every user is untrustworthy unless proven otherwise. Therefore, have a bare minimum verification process for everyone. Use MFA MFA or multi-factor authentication is another way to safeguard network security. This could mean they have to provide their mobile number or OTA pin in addition to the password. MFA can help you verify the user and add an additional security layer. Beef up password Passwords are a double-edged sword. They protect the network but also pose a threat when cracked. To prevent this, choose strong passwords meeting a certain strength level. Also, force users to update their unique passwords regularly. If possible, you can also go passwordless. This involves installing email-based or biometric login systems. Limit privileged accounts Privileged accounts are those accounts that have special capabilities to access the network. It’s important to review such accounts and limit their number. 5. Always stay in compliance Compliance is not only for pleasing the regulators. It’s also for improving your network security. Thus, do not take compliance for granted; always make your network compliant with the latest standards. Compliance requirements are conceptualized after consulting with industry experts and practitioners. They have a much better authoritative position to discuss what needs to be done at an industry level. For example, in the card sector, it’s compulsory to have continuous penetration testing done. So, when fulfilling a requirement, you adopt the best practices and security measures. The requirements don’t remain static. They evolve and change as loopholes emerge. The new set of compliance frameworks helps ensure you’re up-to-date with the latest standards. Compliance is also one of the hardest challenges to tackle. That’s because there are various types of compliances. There are government-, industry-, and product-level compliance requirements that companies must keep up with. Moreover, with hybrid networks and multi-cloud workflows, the task only gets steeper. Cloud security management tools can help in this regard to some extent. Since they grant a high level of visibility, spotting non-compliance becomes easier. Despite the challenges, investing more is always wise to stay compliant. After all, your business reputation depends on it. 6. Physically protect your network You can have the best software or service provider to protect your wireless networks and access points. But they will still be vulnerable if physical protection isn’t in place. In the cybersecurity space, the legend has it that the most secure network is the one that’s behind a closed door. Any network that has humans nearby is susceptible to cyberattacks. Therefore, make sure you have appropriate security personnel at your premises. They should have the capability and authority to physically grant or deny access to those seeking access to the network on all operating systems. Make use of biometric IDs to identify the employees. Also, prohibit the use of laptops, USB drives, and other electronic gadgets that are not authorized. When creating a network, data security teams usually authorize each device that can access it. This is known as Layer 1. To improve network security policy , especially on Wi-Fi (WPA), ensure all the network devices and workstations and SSIDs connected to the network as trustworthy. Adopt the zero-trust security policies for every device: considered untrustworthy until proven otherwise. 7. Train and educate your employees Lastly, to improve network security management , small businesses must educate their employees and invest in network monitoring. Since every employee is connected to the Wi-Fi network somehow, everyone poses a security threat. Hackers often target those with privileged access. Such accounts, once exploited by cybercriminals, can be used to access different segments of the network with ease. Thus, such personnel should receive education on priority. Train your employees on attacks like phishing, spoofing, code injection, DNS tunneling, etc. With knowledge, employees can tackle such attempts head-on. This, in turn, makes the network much more secure. After the privileged account holders are trained, make others in your organization undergo the same training. The more educated they are, the better it is for the network. It’s worth reviewing their knowledge of cybersecurity from time to time. You can conduct a simple survey in Q&A format to test the competency of your team. Based on the results, you can hold training sessions and get everyone on the same page. The bottom line on network security Data breaches often come at a hefty cost. And the most expensive item on the list is the trust of users. Once a data leak happens, retaining customers’ trust is very hard. Regulators aren’t easy on the executives either. Thus, the best option is to safeguard and improve your network security . Schedule a demo Related Articles 2025 in review: What innovations and milestones defined AlgoSec’s transformative year in 2025? AlgoSec Reviews Mar 19, 2023 · 2 min read Navigating Compliance in the Cloud AlgoSec Cloud Mar 19, 2023 · 2 min read 5 Multi-Cloud Environments Cloud Security Mar 19, 2023 · 2 min read Speak to one of our experts Speak to one of our experts Work email* First name* Last name* Company* country* Select country... Short answer* By submitting this form, I accept AlgoSec's privacy policy Schedule a call

Oren Amiram, Director of Product at AlgoSec, explains why misconfigurations continue to plague public cloud network services and how... Firewall Change Management Why misconfigurations continue to plague public cloud network services and how to avoid them? Oren Amiram 2 min read Oren Amiram Short bio about author here Lorem ipsum dolor sit amet consectetur. Vitae donec tincidunt elementum quam laoreet duis sit enim. Duis mattis velit sit leo diam. Tags Share this article 3/18/24 Published Oren Amiram, Director of Product at AlgoSec, explains why misconfigurations continue to plague public cloud network services and how organizations can address these shortfalls with AlgoSec Cloud. Cloud security as a strategy is constantly evolving to meet the needs of organizations for scale, agility, and security. If your organization is weighing the merits of the use of public cloud versus private cloud, here are a few facts to keep in mind. Data shows that the public cloud is the preferred choice. Here’s what’s driving it. Public cloud security has become more ubiquitous thanks to IaaS platforms such as Amazon Web Services (AWS), Google Cloud Platform (GCP) and Microsoft Azure. According to Gartner, worldwide end-user spending on public cloud services is expected to grow by 20.4% in 2022 to a total of $494.7 billion, up from $410.9 billion in 2021 It is easy to see why public clouds are so appealing. Unlike private clouds, public cloud platform solutions allow organizations to provide business applications fast and reduce the costs associated with purchasing, managing, and maintaining on-premise hardware and application infrastructure. Furthermore, public clouds enable businesses to set up the required infrastructure much faster than on-premise and provide unmatched scalability, as well as extra security capabilities. Public cloud benefits are abundantly clear, but there’s more to this than meets the eye. As robust as a public cloud platform, there are also challenges that organizations need to overcome. According to a recent global survey on public cloud security risks, just under a third of organizations (31%) were not confident or only slightly confident about their ability to protect sensitive data in a cloud environment and another 44 percent reported they were only moderately confident. Another survey focused on top threats to cloud computing showed that misconfiguration of the cloud platform was one of the top three concerns among respondents. This challenge is even more amplified as evidenced in a separate survey, with nearly 76% of respondents stating their organization uses two or more different public cloud providers. The findings suggest that security teams often have to manage multiple native security and management consoles to enforce security and compliance across different environments. How profound is the impact of misconfigurations on your network? All it takes is a single hole It is no surprise that enterprise IT teams find it difficult to keep their applications secure. Migration of applications to public cloud platforms involves many potential pitfalls. Misconfiguration errors can occur at many different points on the network as part of the migration process, especially when moving from traditional firewalls to cloud security controls. Ongoing management of applications and workflows within the public cloud presents a unique challenge. Many organizations have multiple teams using different methods to manage the applications and the security controls that should protect them, such as Ansible, Chef and Terraform, in addition to manual changes. Even if you are using a single public cloud platform, you still need to manage multiple security controls protecting a multitude of applications. Organizations may have hundreds of separate public cloud accounts, each with multiple VPCs, spread across different regions. These VPCs are protected by multi-layered security controls, from Cloud Infrastructure, such as security groups and network ACLs, cloud-native advanced network firewalls, to Security Products offered by ISVs, such as NG Firewalls. It is easy to see why misconfiguration occurs if IT teams attempt to take on this complex, tedious and labor-intensive process themselves. A single mistake can cause outages, compliance violations and create holes in your security perimeter. Digital Shadows detected over 2.3 billion files that had been Misconfigured storage services have exposed more than 30 billion records and contributed to more than 200 breaches over the past two years. It is safe to assume that as organizations seek to optimize their public cloud deployment, cloud breaches will increase in velocity and scale. According to a recent Accurics report, misconfigured cloud storage services were commonplace in 93% of hundreds of public cloud deployments analyzed. Avoiding misconfiguration risks is easier said than done, but there’s a solution Given that organizations are so concerned about misconfiguration risks, what steps can they take to avoid making them? There are two basic principles that should be followed: Ensuring that only authorized, qualified personnel can make network or security control changes Following a clearly defined change process, with mandatory review and approval for each stage. It’s also important to keep in mind that errors are still likely to occur even while you’re still carrying out your processes manually. Luckily, there is an easy solution – hybrid network-aware automation. This solution enables you to employ network change automation, eliminates guesswork and error-prone manual input, while also simplifying large-scale, complex application migration projects and security change management. Is there a much more holistic solution? Yes, meet AlgoSec AlgoSec’s cloud offering seamlessly integrates with all leading brands of cloud security controls, firewalls (including NGFWs deployed in the cloud), routers, and load balancers, to deliver unified security policy management. With the AlgoSec Security Management Solution, users benefit from holistic management and automation spanning on-premise, SDN and public cloud. AlgoSec cloud offering, including CloudFlow, allows organizations to seamlessly manage security control layers across the hybrid network in three key areas: Visibility across your hybrid network With our cloud offering, you can obtain a full network map of your entire hybrid network security estate, as well as identify risks and correlate them to the assets they impact. You can also achieve instant visibility of cloud assets and security controls, pinpointing and troubleshooting application and network connectivity issues resulting from security policies. Change management Organizations can leverage a uniformed network model and change-management framework that covers the hybrid and multi-cloud environment, with an automated policy push for “zero-touch” automation. You can securely migrate workloads from on-prem to the public cloud and discover the power of CloudFlow’s central policy management, allowing you to orchestrate multiple similar security controls in a single policy. Cloud-centric risk analysis and remediation You can proactively detect misconfigurations to protect cloud assets, including cloud instances, databases and serverless functions. Also, you can easily identify risky security policy rules, the assets they expose and whether they are in use. You can also remediate risk, including cleaning up bloated and risky policies and enjoy audit-ready compliance reporting, including vast support for diverse regulations. Find out more about AlgoSec cloud offering or start your journey through AlgoSec’s hybrid cloud hub . Schedule a demo Related Articles 2025 in review: What innovations and milestones defined AlgoSec’s transformative year in 2025? AlgoSec Reviews Mar 19, 2023 · 2 min read Navigating Compliance in the Cloud AlgoSec Cloud Mar 19, 2023 · 2 min read 5 Multi-Cloud Environments Cloud Security Mar 19, 2023 · 2 min read Speak to one of our experts Speak to one of our experts Work email* First name* Last name* Company* country* Select country... Short answer* By submitting this form, I accept AlgoSec's privacy policy Schedule a call

As the most widely adapted open-source container software, Kubernetes provides businesses with efficient processes to schedule, deploy,... Cloud Security Understanding and Preventing Kubernetes Attacks and Threats Ava Chawla 2 min read Ava Chawla Short bio about author here Lorem ipsum dolor sit amet consectetur. Vitae donec tincidunt elementum quam laoreet duis sit enim. Duis mattis velit sit leo diam. Tags Share this article 10/20/21 Published As the most widely adapted open-source container software, Kubernetes provides businesses with efficient processes to schedule, deploy, and scale containers across different machines. The bad news is that cybercriminals have figured out how to exploit the platform’s vulnerabilities , resulting in catastrophic network intrusions across many company infrastructures. A recent report revealed that 94% of respondents reported security incidents in Kubernetes environments. The question is, what is behind this surge of Kubernetes attacks, and how can they be prevented? How Kubernetes is Vulnerable As a container-based platform, a new set of vulnerabilities, permission issues, and specific images set the stage for the increase in attacks. The threats have included fileless malware in containers, leveraging misconfigured Docker API ports, and using container images for attacks. Misconfigured Docker API Ports Exploitation Scanning for misconfigured Docker API ports and using them for deploying images containing malware is a relatively new type of attack. The malware, designed to evade static scanning, has become a popular method to hijack compute cycles for fraudulent cryptomining. This cryptojacking activity steals CPU power to mine currencies such as Ethereum and Monero. By first identifying vulnerable front-end websites and other systems, attackers send a command through the application layer simply by manipulating a domain’s text field or through an exposed API in the website’s URL. The code then enters the container, where it is executed with commands sent to a Docker container’s shell. A wget command is executed to download the malware. To protect against this attack, enterprises must ensure their container files are not writable, establish CPU consumption limits, and enable alerts to detect interactive shell launches. DDoS Attacks With Open Docker Daemons Cybercriminals use misconfigured open Docker daemons to launch DDoS attacks using a botnet of containers. UDP flood and Slowloris were recently identified as two such types of container-based botnet attacks. A recent blog describes an anatomy of these Kubernetes attacks. The attackers first identified open Docker daemons using a scanning tool such as Shodan to scan the internet for IP addresses and find a list of hosts, open ports, and services. By uploading their own dedicated images to the Docker hub, they succeeded in deploying and remotely running the images on the host. Analyzing how the UDP flood attack was orchestrated required an inspection of the binary with IDA. This revealed the start_flood and start_tick threads. The source code for the attack was found on Github. This code revealed a try_gb parameter, with the range of 0 to 1,024, used to configure how much data to input to flood the target. However, it was discovered that attackers are able to modify this open-source code to create a self-compiled binary that floods the host with even greater amounts of UDP packets. In the case of the Slowloris attack, cybercriminals launched DDoS with the slowhttptest utility. The attackers were able to create a self-compiling binary that is unidentifiable in malware scans. Protection from these Kubernetes attacks requires vigilant assurance policies and prevention of images other than compliant ones to run in the system. Non-compliant images will then be blocked when intrusion attempts are made. Man in the Middle Attacks With LoadBalancer or ExternalIPs An attack affecting all versions of Kubernetes involves multi-tenant clusters. The most vulnerable clusters have tenants that are able to create and update services and pods. In this breach, the attacker can intercept traffic from other pods or nodes in the cluster by creating a ClusterIP service and setting the spec.externalIP’s field. Additionally, a user who is able to patch the status of a LoadBalancer service can grab traffic. The only way to mitigate this threat is to restrict access to vulnerable features. This can be done with the admission webhook container, externalip-webhook , which prevents services from using random external IPs. An alternative method is to lock external IPs with OPA Gatekeeper with this sample Constraint Templatecan. Siloscape Malware Security researcher, Daniel Prizmant, describes a newer malware attack that he calls Siloscape. Its primary goal is to escape the container that is mainly implemented in Windows server silo. The malware targets Kubernetes through Windows containers to open a backdoor into poorly configured clusters to run the malicious containers. While other malware attacks focus on cryptojacking, the Siloscape user’s motive is to go undetected and open a backdoor to the cluster for a variety of malicious activities. This is possible since Siloscape is virtually undetectable due to a lack of readable strings in the binary. This type of attack can prove catastrophic. It compromises an entire cluster running multiple cloud applications. Cybercriminals can access critical information including sign-ins, confidential files, and complete databases hosted inside the cluster. Additionally, organizations using Kubernetes clusters for testing and development can face catastrophic damage should these environments be breached. To prevent a Siloscape attack, it is crucial that administrators ensure their Kubernetes clusters are securely configured. This will prevent the malware from creating new deployments and force Siloscape to exit. Microsoft also recommends using only Hyper-V containers as a security boundary for anything relying on containerization. The Threat Matrix The MITRE ATT&CK database details additional tactics and techniques attackers are using to infiltrate Kubernetes environments to access sensitive information, mine cryptocurrency, perform DDoS attacks, and other unscrupulous activities. The more commonly used methods are as follows: 1. Kubernetes file compromise Because this file holds sensitive data such as cluster credentials, an attacker could easily gain initial access to the entire cluster. Only accept kubeconfig files from trusted sources. Others should be thoroughly inspected before they are deployed. 2. Using similar pod names Attackers create similar pod names and use random suffixes to hide them in the cluster. The pods then run malicious code and obtain access to many other resources. 3. Kubernetes Secrets intrusion Attackers exploit any misconfigurations in the cluster with the goal of accessing the API server and retrieving information from the Secrets objects. 4. Internal network access Attackers able to access a single pod that communicates with other pods or applications can move freely within the cluster to achieve their goals. 5. Using the writeable hostPath mount Attackers with permissions to create new containers can create one with a writeable hostPath volume. Kubernetes Attacks: Key Takeaways Kubernetes brings many advantages to organizations but also presents a variety of security risks, as documented above. However, by ensuring their environments are adequately protected through proper configuration and appropriately assigned permissions, the threat of Kubernetes attacks is greatly minimized. Should a container be compromised, properly assigned privileges can severely limit a cluster-wide compromise. Prevasio assists companies in the management of their cloud security through built-in vulnerability and anti-malware scans for containers. Contact us for more information on our powerful CSPM solutions. Learn about how we can protect your company from Kubernetes attacks and other cyberattacks. Schedule a demo Related Articles 2025 in review: What innovations and milestones defined AlgoSec’s transformative year in 2025? AlgoSec Reviews Mar 19, 2023 · 2 min read Navigating Compliance in the Cloud AlgoSec Cloud Mar 19, 2023 · 2 min read 5 Multi-Cloud Environments Cloud Security Mar 19, 2023 · 2 min read Speak to one of our experts Speak to one of our experts Work email* First name* Last name* Company* country* Select country... Short answer* By submitting this form, I accept AlgoSec's privacy policy Schedule a call

What is Network Security Monitoring? Network security monitoring is the process of inspecting network traffic and IT infrastructure for... Network Security Top 9 Network Security Monitoring Tools for Identifying Potential Threats Tsippi Dach 2 min read Tsippi Dach Short bio about author here Lorem ipsum dolor sit amet consectetur. Vitae donec tincidunt elementum quam laoreet duis sit enim. Duis mattis velit sit leo diam. Tags Share this article 2/4/24 Published What is Network Security Monitoring? Network security monitoring is the process of inspecting network traffic and IT infrastructure for signs of security issues. These signs can provide IT teams with valuable information about the organization’s cybersecurity posture. For example, security teams may notice unusual changes being made to access control policies. This may lead to unexpected traffic flows between on-premises systems and unrecognized web applications. This might provide early warning of an active cyberattack, giving security teams enough time to conduct remediation efforts and prevent data loss . Detecting this kind of suspicious activity without the visibility that network security monitoring provides would be very difficult. These tools and policies enhance operational security by enabling network intrusion detection, anomaly detection, and signature-based detection. Full-featured network security monitoring solutions help organizations meet regulatory compliance requirements by maintaining records of network activity and security incidents. This gives analysts valuable data for conducting investigations into security events and connect seemingly unrelated incidents into a coherent timeline. What To Evaluate in a Network Monitoring Software Provider Your network monitoring software provider should offer a comprehensive set of features for collecting, analyzing, and responding to suspicious activity anywhere on your network. It should unify management and control of your organization’s IT assets while providing unlimited visibility into how they interact with one another. Comprehensive alerting and reporting Your network monitoring solution must notify you of security incidents and provide detailed reports describing those incidents in real-time. It should include multiple toolsets for collecting performance metrics, conducting in-depth analysis, and generating compliance reports. Future-proof scalability Consider what kind of network monitoring needs your organization might have several years from now. If your monitoring tool cannot scale to accommodate that growth, you may end up locked into a vendor agreement that doesn’t align with your interests. This is especially true with vendors that prioritize on-premises implementations since you run the risk of paying for equipment and services that you don’t actually use. Cloud-delivered software solutions often perform better in use cases where flexibility is important. Integration with your existing IT infrastructure Your existing security tech stack may include a selection of SIEM platforms, IDS/IPS systems, firewalls , and endpoint security solutions. Your network security monitoring software will need to connect all of these tools and platforms together in order to grant visibility into network traffic flows between them. Misconfigurations and improper integrations can result in dangerous security vulnerabilities. A high-performance vulnerability scanning solution may be able to detect these misconfigurations so you can fix them proactively. Intuitive user experience for security teams and IT admins Complex tools often come with complex management requirements. This can create a production bottleneck when there aren’t enough fully-trained analysts on the IT security team. Monitoring tools designed for ease of use can improve security performance by reducing training costs and allowing team members to access monitoring insights more easily. Highly automated tools can drive even greater performance benefits by reducing the need for manual control altogether. Excellent support and documentation Deploying network security monitoring tools is not always a straightforward task. Most organizations will need to rely on expert support to assist with implementation, troubleshooting, and ongoing maintenance. Some vendors provide better technical support to customers than others, and this difference is often reflected in the price. Some organizations work with managed service providers who can offset some of their support and documentation needs by providing on-demand expertise when needed. Pricing structures that work for you Different vendors have different pricing structures. When comparing network monitoring tools, consider the total cost of ownership including licensing fees, hardware requirements, and any additional costs for support or updates. Certain usage models will fit your organization’s needs better than others, and you’ll have to document them carefully to avoid overpaying. Compliance and reporting capabilities If you plan on meeting compliance requirements for your organization, you will need a network security monitoring tool that can generate the necessary reports and logs to meet these standards. Every set of standards is different, but many reputable vendors offer solutions for meeting specific compliance criteria. Find out if your network security monitoring vendor supports compliance standards like PCI DSS, HIPAA, and NIST. A good reputation for customer success Research the reputation and track record of every vendor you could potentially work with. Every vendor will tell you that they are the best – ask for evidence to back up their claims. Vendors with high renewal rates are much more likely to provide you with valuable security technology than lower-priced competitors with a significant amount of customer churn. Pay close attention to reviews and testimonials from independent, trustworthy sources. Compatibility with network infrastructure Your network security monitoring tool must be compatible with the entirety of your network infrastructure. At the most basic level, it must integrate with your hardware fleet of routers, switches, and endpoint devices. If you use devices with non-compatible operating systems, you risk introducing blind spots into your security posture. For the best results, you must enjoy in-depth observability for every hardware and software asset in your network, from the physical layer to the application layer. Regular updates and maintenance Updates are essential to keep security tools effective against evolving threats. Check the update frequency of any monitoring tool you consider implementing and look for the specific security vulnerabilities addressed in those updates. If there is a significant delay between the public announcement of new vulnerabilities and the corresponding security patch, your monitoring tools may be vulnerable during that period of time. 9 Best Network Security Monitoring Providers for Identifying Cybersecurity Threats 1. AlgoSec AlgoSec is a network security policy management solution that helps organizations automate and orchestrate network security policies. It keeps firewall rules , routers, and other security devices configured correctly, ensuring network assets are secured properly. AlgoSec protects organizations from misconfigurations that can lead to malware, ransomware, and phishing attacks, and gives security teams the ability to proactively simulate changes to their IT infrastructure. 2. SolarWinds SolarWinds offers a range of network management and monitoring solutions, including network security monitoring tools that detect changes to security policies and traffic flows. It provides tools for network visibility and helps identify and respond to security incidents. However, SolarWinds can be difficult for some organizations to deploy because customers must purchase additional on-premises hardware. 3. Security Onion Security Onion is an open-source Linux distribution designed for network security monitoring. It integrates multiple monitoring tools like Snort, Suricata, Bro, and others into a single platform, making it easier to set up and manage a comprehensive network security monitoring solution. As an open-source option, it is one of the most cost-effective solutions available on the market, but may require additional development resources to customize effectively for your organization’s needs. 4. ELK Stack Elastic ELK Stack is a combination of three open-source tools: Elasticsearch, Logstash, and Kibana. It’s commonly used for log data and event analysis. You can use it to centralize logs, perform real-time analysis, and create dashboards for network security monitoring. The toolset provides high-quality correlation through large data sets and provides security teams with significant opportunities to improve security and network performance using automation. 5. Cisco Stealthwatch Cisco Stealthwatch is a commercial network traffic analysis and monitoring solution. It uses NetFlow and other data sources to detect and respond to security threats, monitor network behavior, and provide visibility into your network traffic. It’s a highly effective solution for conducting network traffic analysis, allowing security analysts to identify threats that have infiltrated network assets before they get a chance to do serious damage. 6. Wireshark Wireshark is a widely-used open-source packet analyzer that allows you to capture and analyze network traffic in real-time. It can help you identify and troubleshoot network issues and is a valuable tool for security analysts. Unlike other entries on this list, it is not a fully-featured monitoring platform that collects and analyzes data at scale – it focuses on providing deep visibility into specific data flows one at a time. 7. Snort Snort is an open-source intrusion detection system (IDS) and intrusion prevention system (IPS) that can monitor network traffic for signs of suspicious or malicious activity. It’s highly customizable and has a large community of users and contributors. It supports customized rulesets and is easy to use. Snort is widely compatible with other security technologies, allowing users to feed signature updates and add logging capabilities to its basic functionality very easily. However, it’s an older technology that doesn’t natively support some modern features users will expect it to. 8. Suricata Suricata is another open-source IDS/IPS tool that can analyze network traffic for threats. It offers high-performance features and supports rules compatible with Snort, making it a good alternative. Suricata was developed more recently than Snort, which means it supports modern workflow features like multithreading and file extraction. Unlike Snort, Suricata supports application-layer detection rules and can identify traffic on non-standard ports based on the traffic protocol. 9. Zeek (formerly Bro) Zeek is an open-source network analysis framework that focuses on providing detailed insights into network activity. It can help you detect and analyze potential security incidents and is often used alongside other NSM tools. This tool helps security analysts categorize and model network traffic by protocol, making it easier to inspect large volumes of data. Like Suricata, it runs on the application layer and can differentiate between protocols. Essential Network Monitoring Features Traffic Analysis The ability to capture, analyze, and decode network traffic in real-time is a basic functionality all network security monitoring tools should share. Ideally, it should also include support for various network protocols and allow users to categorize traffic based on those categories. Alerts and Notifications Reliable alerts and notifications for suspicious network activity, enabling timely response to security threats. To avoid overwhelming analysts with data and contributing to alert fatigue, these notifications should consolidate data with other tools in your security tech stack. Log Management Your network monitoring tool should contribute to centralized log management through network devices, apps, and security sensors for easy correlation and analysis. This is best achieved by integrating a SIEM platform into your tech stack, but you may not wish to store all of your network’s logs on the SIEM, because of the added expense. Threat Detection Unlike regular network traffic monitoring, network security monitoring focuses on indicators of compromise in network activity. Your tool should utilize a combination of signature-based detection, anomaly detection, and behavioral analysis to identify potential security threats. Incident Response Support Your network monitoring solution should facilitate the investigation of security incidents by providing contextual information, historical data, and forensic capabilities. It may correlate detected security events so that analysts can conduct investigations more rapidly, and improve security outcomes by reducing false positives. Network Visibility Best-in-class network security monitoring tools offer insights into network traffic patterns, device interactions, and potential blind spots to enhance network monitoring and troubleshooting. To do this, they must connect with every asset on the network and successfully observe data transfers between assets. Integration No single security tool can be trusted to do everything on its own. Your network security monitoring platform must integrate with other security solutions, such as firewalls, intrusion detection/prevention systems (IDS/IPS), and SIEM platforms to create a comprehensive security ecosystem. If one tool fails to detect malicious activity, another may succeed. Customization No two organizations are the same. The best network monitoring solutions allow users to customize rules, alerts, and policies to align with specific security requirements and network environments. These customizations help security teams reduce alert fatigue and focus their efforts on the most important data traffic flows on the network. Advanced Features for Identifying Vulnerabilities & Weaknesses Threat Intelligence Integration Threat intelligence feeds enhance threat detection and response capabilities by providing in-depth information about the tactics, techniques, and procedures used by threat actors. These feeds update constantly to reflect the latest information on cybercriminal activities so analysts always have the latest data. Forensic Capabilities Detailed data and forensic tools provide in-depth analysis of security breaches and related incidents, allowing analysts to attribute attacks to hackers and discover the extent of cyberattacks. With retroactive forensics, investigators can include historical network data and look for evidence of compromise in the past. Automated Response Automated responses to security threats can isolate affected devices or modify firewall rules the moment malicious behavior is detected. Automated detection and response workflows must be carefully configured to avoid business disruptions stemming from misconfigured algorithms repeatedly denying legitimate traffic. Application-level Visibility Some network security monitoring tools can identify and classify network traffic by applications and services , enabling granular control and monitoring. This makes it easier for analysts to categorize traffic based on its protocol, which can streamline investigations into attacks that take place on the application layer. Cloud and Virtual Network Support Cloud-enabled organizations need monitoring capabilities that support cloud environments and virtualized networks. Without visibility into these parts of the hybrid network, security vulnerabilities may go unnoticed. Cloud-native network monitoring tools must include data on public and private cloud instances as well as containerized assets. Machine Learning and AI Advanced machine learning and artificial intelligence algorithms can improve threat detection accuracy and reduce false positives. These features often work by examining large-scale network traffic data and identifying patterns within the dataset. Different vendors have different AI models and varying levels of competence with emerging AI technology. User and Entity Behavior Analytics (UEBA) UEBA platforms monitor asset behaviors to detect insider threats and compromised accounts. This advanced feature allows analysts to assign dynamic risk scores to authenticated users and assets, triggering alerts when their activities deviate too far from their established routine. Threat Hunting Tools Network monitoring tools can provide extra features and workflows for proactive threat hunting and security analysis. These tools may match observed behaviors with known indicators of compromise, or match observed traffic patterns with the tactics, techniques, and procedures of known threat actors. AlgoSec: The Preferred Network Security Monitoring Solution AlgoSec has earned an impressive reputation for its network security policy management capabilities. The platform empowers security analysts and IT administrators to manage and optimize network security policies effectively. It includes comprehensive firewall policy and change management capabilities along with comprehensive solutions for automating application connectivity across the hybrid network. Here are some reasons why IT leaders choose AlgoSec as their preferred network security policy management solution: Policy Optimsization: AlgoSec can analyze firewall rules and network security policies to identify redundant or conflicting rules, helping organizations optimize their security posture and improve rule efficiency. Change Management: It offers tools for tracking and managing changes to firewall and network data policies, ensuring that changes are made in a controlled and compliant manner. Risk Assessment: AlgoSec can assess the potential security risks associated with firewall rule changes before they are implemented, helping organizations make informed decisions. Compliance Reporting: It provides reports and dashboards to assist with compliance audits, making it easier to demonstrate regulatory compliance to regulators. Automation: AlgoSec offers automation capabilities to streamline policy management tasks, reducing the risk of human error and improving operational efficiency. Visibility: It provides visibility into network traffic and policy changes, helping security teams monitor and respond to potential security incidents. Schedule a demo Related Articles 2025 in review: What innovations and milestones defined AlgoSec’s transformative year in 2025? AlgoSec Reviews Mar 19, 2023 · 2 min read Navigating Compliance in the Cloud AlgoSec Cloud Mar 19, 2023 · 2 min read 5 Multi-Cloud Environments Cloud Security Mar 19, 2023 · 2 min read Speak to one of our experts Speak to one of our experts Work email* First name* Last name* Company* country* Select country... Short answer* By submitting this form, I accept AlgoSec's privacy policy Schedule a call